How might the feds have snooped on Lavabit?

Founder no longer thinks his encrypted e-mail service can withstand secret court orders.

In 2004, a 22-year-old technology enthusiast named Ladar Levison hatched a venture that fused his passion for open-source software with his belief that privacy was a fundamental right. Using the OpenSSL cryptography library, the Linux-based operating system, and close to 10,000 programming hours, he built what ultimately became Lavabit, an e-mail service that, when used correctly, made it impossible for even him to read the encrypted messages stored on his servers.

The goal from the start was to develop a technical underpinning that would resist the secret National Security Letters (NSLs) that had been authorized under the PATRIOT Act of 2001. Short for Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, the statute required service providers to surrender private data relating to users named in an NSL.

Even more disturbing to Levison, the law strictly prohibited providers from disclosing the existence of the secret demand, which, unlike normal subpoenas, were issued without the oversight of a legal court. (The constitutionality of those gag orders has been called into question by at least one recent court order.) Levison's plan was simple enough—use multiple levels of encryption to ensure that only someone who knows the user-chosen password protecting each account could decode the protected messages. Because Lavabit stored the passwords as one-way hashes that were generated by a complex cryptographic algorithm, even Lavabit operators were unable to obtain the plain-text characters.

Over the decade that followed, the service developed a loyal following. By earlier this year, it was generating annual revenue of about $100,000 from about 10,000 paying customers and courted another 400,000 people registered to use its free service. Its most visible milestone came in July when several human rights groups received an e-mail from edsnowden@lavabit.com, an address belonging to Edward Snowden, the former National Security Agency contractor charged with espionage after revealing an expansive surveillance program involving ordinary Americans. But rather than fuel even more explosive growth, the high-profile endorsement was quickly followed by a message announcing Lavabit's immediate closure. Levison declined to say whether there was any connection between the closure and the revelation that Snowden used the service.

Levison said he has always known Lavabit safeguards could be bypassed if government agents took drastic measures, or as he put it, "if the government was willing to sacrifice the privacy of many to conduct surveillance on the few." For instance, if he was forced to change the code used when a user logs in, his system could capture the plain-text password needed to decrypt stored e-mails. Similarly, if he was ever forced to turn over the private encryption key securing his site's HTTPS certificate, government agents tapping a connection could observe the password as a user was entering it. But it was only in the past few weeks that he became convinced those risks were realistic.

"I don't know if I'm off my rocker, but 10 years ago, I think it would have been unheard of for the government to demand source code or to make a change to your source code or to demand your SSL key," Levison told Ars. "What I've learned recently makes me think that's not as crazy an assumption as I thought."

Levison was very limited in what he would say. His lawyer has suggested he's bound by a legal gag order. Asked if he or Lavabit has received a National Security Letter or any sort of classified court order, he response is: "I can neither confirm nor deny that." But he was willing to talk with us about how his system was constructed, the assumptions he used to hold, and the assumptions he holds now. That allows us to explore what, hypothetically, the government may have been asking for—giving insight into the strategies and methods of the national security agencies. Security consultant Mark Burnett recently posted his own speculation about what the government might have asked Lavabit to do.

To prevent even operators from being able to decrypt user e-mail stored on servers, Lavabit deployed multiple levels of cryptographic protections. Messages were encrypted with a user's public key and could only be decrypted with a corresponding private key. That private key was itself encrypted and could only be decoded when the end-user entered a password. For safekeeping, the password was never stored as plaintext on Lavabit servers, according to documentation Levison provided to users. The password was combined with a cryptographic "salt" and was then hashed using multiple iterations of the SHA512 cryptographic function. Once a user entered the correct password, it would unlock the private key, which in turn decoded an encrypted e-mail.

The system was further designed to scrub the plaintext password and the unencrypted private key from server memory as soon as a transaction was completed. That was intended to make it impossible to decipher the messages by anyone who didn't have the human-readable password. Even if the servers were rooted by hackers or accessed by government agents, all the intruders would be able to access were one-way hashes and the encrypted messages. Since it's cryptographically impossible to reverse a hash, the secrets would remain secure. At least in theory, that meant the only way a hacker or government snoop could defeat the system and decrypt a user's e-mail was to crack the hashes using cracking dictionaries or brute-force attacks, both of which are impractical when users have chosen extremely long, randomly generated passwords.

All along, Levison spotted at least two ways his system could be subverted. The first was for an adversary to obtain the private key his server used to HTTPS encrypt the password and other sensitive data as it traveled between the user and the Lavabit server. The other was that Levison could somehow be forced to rewrite his source code and build a trap for users. For instance, Levison or anyone else with control over Lavabit might redesign the system so plaintext passwords were written to a log as soon as they were entered by the user, rather than being scrubbed from the system. Levison believed he had legal protections that would prevent the government from exploiting either weakness. After all, he had never heard of service providers being compelled to reveal the private key used to authenticate and encrypt HTTPS connections. Similarly, he was aware of no precedent mandating service providers change source code against their will.

"In terms of policy, I always believed that even though those were theoretical vulnerabilities, they couldn't be exploited because basically they would be requiring me to do things that I didn't think the law would allow for," he said. "I have reason to believe, not necessarily in relation to anything involving Lavabit but just in talking to other people in the industry and cryptography experts, that that assumption doesn't necessarily hold true anymore." He declined to identify the industry people he talked to. On Monday, the Lavabit Legal Defense Fund said it has raised $140,000 from more than 4,000 donors.

Remember Hushmail?

Government officials didn't immediately respond to a request for comment, so there's no way to independently confirm the suspicions. Assuming they're true, this wouldn't be the first time a service has changed the behavior of its software to assist government investigators. In 2007, Hushmail, an encrypted e-mail provider with similar technical protections as Lavabit, turned over 12-CDs-worth of e-mails from three account users named in a Canadian court order targeting illegal steroids distribution, a Wired journalist reported at the time. A Hushmail CTO told the publication of a general vulnerability in the service that involved the possible logging of a plain-text password when the user accesses the service.

"In the case of the alleged steroid dealer, the feds seemed to compel Hushmail to exploit this hole, store the suspects' secret passphrase or decryption key, decrypt their messages, and hand them over," Wired reporter Ryan Singel wrote.

Levison's comments are also in keeping with recent reporting from CNET's Declan McCullagh, who said the federal government has attempted to obtain the master encryption keys Internet companies use to protect users' private Web communications from eavesdropping.

Despite the parallels, however, both practices would be "outrageous" if feds actually forced them on Lavabit, said Jon Callas, who is co-founder and CTO of SilentCircle, a privacy startup that dismantled its encrypted e-mail service hours after Levison shuttered Lavabit. (The company's services for encrypting cell phone conversations and text messages remain in place.)

"I have been told that they cannot change your fundamental business practices," said Callas, who unlike Levison was able to say SilentCircle has received no NSLs or court orders of any kind. "I presume that would mean things like getting SSL keys because that would mean they could impersonate your servers. That would be like setting up a store front that says your business name and putting [government agents] in your company uniforms." Similarly, he added: "They cannot make changes to existing operating systems. They can't make you change source code."

To which Levison replied: "That was always my understanding, too. That's why this is so important. Like [Callas] at SilentCircle said, the assumption has been that the government can't force us to change our business practices like that and compromise that information. Like I said, I don't hold those beliefs anymore."

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.

If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

The ability for the US government to compel you to turn over passwords or other keys is hotly debated and the courts are by no means settled on it.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.

If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

If things are encrypted such that you do not have access to the plaintext of the documents, the only thing you can do is hand over the cyphertext. If it were obstruction of justice to be unable to comply with a warrant, we'd be able to put people in prison for not handing over a unicorn.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.

If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

The ability for the US government to compel you to turn over passwords or other keys is hotly debated and the courts are by no means settled on it.

It is the compelling of the third party to produce my documents I disagree with. There are already penalties in place should the subject of a warrant hinder investigation or destroy/hide evidence.

"I have been told that they cannot change your fundamental business practices," said Callas,

I think the immunity Congress was forced to grant to all of the telecoms in 2008 shows he underestimates the power of the NSA to not only compel a change to an existing business practice, but also to break the law.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.

If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

I am not American, and I would prefer it if American agencies didn't have access to my personal correspondence warrant or not.

I appreciate the indepth speculation of this article but the fact remains that the US Government has bullied a private citizen and a private company into doing something it did not want to do, while it was operating completely within the law, under some threat serious enough for that person to shut down his business.It is tyranny and needs to be stopped.Unfortunately, the reality is that people need to stand up and speak out under threat of imprisonment, take the jury trial route, and have a jury of your peers acquit you. Even more unfortunate, is that the system is so fucked now that:1. Innocent people get threat of imprisonment for some government witch hunt;2. Innocent people cave to threat and submit;3. Innocent cannot get courts to throw criminal cases out for those who do not submit;4. Innocent people who sue the government for said abuses cannot get government immunity withheld to get to jury trial;5. Innocent people spend big money to fight this tyranny vs. the infinite government budget;6. All the corrupt judges, politicians, police, and military/industrial/spy complex get more and more powerful.

"I have been told that they cannot change your fundamental business practices," said Callas,

I think the immunity Congress was forced to grant to all of the telecoms in 2008 shows he underestimates the power of the NSA to not only compel a change to an existing business practice, but also to break the law.

Yes, once you open the Pandora's box where they can make the law whatever they want it to be, all bets are off. I'm hoping the outcry will slow them down, but I doubt they can be stopped. They have been exposed employing illegal and unconstitutional means, and what happened? Nothing, they are going about business as usual.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

The ability for the US government to compel you to turn over passwords or other keys is hotly debated and the courts are by no means settled on it.

The courts are not settled on it because many courts are so far removed from their primary job- enforcing the US Constitution. 5th Amendment in simpleze is that you do not have to tell on yourself or provide evidence against yourself.

The courts have it wrong and should be ashamed. Under the 5th Amendment, you should not have to provide passwords, urine, blood, breath, or say jack shit ever. It is up the government to prove you guilt beyond a reasonable doubt after an indictment based upon probable cause.

The other problem with the courts is that they are protecting the executive branch with super immunity from civil suit. If the DOJ would throw government employees in prison for violating the US Constitution, this stuff would stop- Immediately! If people could sue and get millions in damages for this type of tyranny or police brutality, this crap would stop- Immediately! Starve the beast...

Going on record to say that I've never received an NSL. If I do get one, I'll be unable to confirm or deny that I have.

Someone clearly didn't think that through.

I'm pretty sure the American Library Association does something like this, with a regularly updated list of libraries which have either NOT received an NSL that month, or can neither confirm nor deny it.

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

Who says? That is not what "warrants" are for. Warrants have historically fallen under the following categories:1. Search2. Arrest3. Execution;4. Dispossessory/eviction5. CommittalTheses do not include forcing a potential criminal suspect to tell on themselves. ie turn over passwords.

The other problem with the courts is that they are protecting the executive branch with super immunity from civil suit. If the DOJ would throw government employees in prison for violating the US Constitution, this stuff would stop- Immediately! If people could sue and get millions in damages for this type of tyranny or police brutality, this crap would stop- Immediately! Starve the beast...

They have been exposed employing illegal and unconstitutional means, and what happened? Nothing, they are going about business as usual.

Worse than nothing, they have quite literally been chastised by millions for illegal, immoral and unpopular actions. They have, for all intents and purposes, turned around and said "No, it's fine. This is legal, it's in your best interests, we're going to keep doing it whether you want it or not."

They are now acting almost certainly outside the law, they are definitely acting against the wishes of the majority, they are doing it all with impunity and on top of all this it's funded with money taken from the public.

I understand the wordplay that various parties are forced to use in order to convey information without violating the letter of the law, but the following phrase still concerns me:

Quote:

said Callas, who unlike Levison was able to say SilentCircle has received no NSLs or court orders of any kind.

The author, Mr. Goodin, is clearly implying that Levison is unable to say whether he has received an NSL. This is different from Levison merely stating that he cannot confirm whether he has or hasn't.

My only concern is that the gov might want to "subpoena" the contents of the actual interview to confirm whether Levison goofed up and mistakenly leaked why his response is "..neither confirm nor deny..".

The courts are not settled on it because many courts are so far removed from their primary job- enforcing the US Constitution. 5th Amendment in simpleze is that you do not have to tell on yourself or provide evidence against yourself.

The courts have it wrong and should be ashamed. Under the 5th Amendment, you should not have to provide passwords, urine, blood, breath, or say jack shit ever. It is up the government to prove you guilt beyond a reasonable doubt after an indictment based upon probable cause.

The courts have long held that there are reasonable exceptions to virtually every power. Given that the first of these happened when most of the Framers were still alive and they didn't do much to change it, it's a good bet that they meant for it to be flexible. That's why your fingerprints can be taken on arrest.

In the case of drunk driving, you actually can refuse any and all testing, but this generally results in the immediate suspension or revocation of your license. Think about it: you're demanding that the government prove that someone was drunk and then denying the ability to collect any evidence other than the judgment of the arresting officer. A little leeway goes a long way not just in enforcing the law, but in protecting people from corrupt, angry, or tired cops declaring them drunk and that being the essential end of it.

Quote:

The other problem with the courts is that they are protecting the executive branch with super immunity from civil suit. If the DOJ would throw government employees in prison for violating the US Constitution, this stuff would stop- Immediately! If people could sue and get millions in damages for this type of tyranny or police brutality, this crap would stop- Immediately! Starve the beast...

All national governments have general immunity from civil suit and have since time immemorial because a lack of it would render every government completely incapable of functioning and lock the courts up completely. The United States is no different, and the Framers again backed this idea in their arguments and actions, even if it's not clearly spelled out with those words in the Constitution itself. In fact, when individual state sovereignty was threatened in a case involving Georgia, the Eleventh Amendment was quickly proposed and passed, taking less than a year to be ratified. There are exceptions written into the law, but they're limited and largely intended to keep government employees in line.

I understand the wordplay that various parties are forced to use in order to convey information without violating the letter of the law, but the following phrase still concerns me:

Quote:

said Callas, who unlike Levison was able to say SilentCircle has received no NSLs or court orders of any kind.

The author, Mr. Goodin, is clearly implying that Levison is unable to say whether he has received an NSL. This is different from Levison merely stating that he cannot confirm whether he has or hasn't.

My only concern is that the gov might want to "subpoena" the contents of the actual interview to confirm whether Levison goofed up and mistakenly leaked why his response is "..neither confirm nor deny..".

The legal minutiae are a gnat on an elephants ass. The law is whatever they say it is. The big issue is their assumption of unlimited coercive power. Defy them and you're in prison.

anyone who trusts an encrypted email store but depends on unencrypted emails is just asking for trouble. It's that simple.

If the e-mail is ever in the clear on the remote end, you have no real confidentiality.

could one design a system that provided better protection than lavabit? yes. for instance, let the messages come in the clear, but once encrypted on the server, are unable to be decrypted by the server at all (i.e. server never has the decryption key).

It sill wouldn't protect new incoming e-mail, but it would protect already received e-mail.

but in practice, if you need confidentiality, you need end to end confidentiality. Learn to use PGP. Or S/Mime.

Going on record to say that I've never received an NSL. If I do get one, I'll be unable to confirm or deny that I have.

Someone clearly didn't think that through.

His lawyer carefully crafted the reply. The first part you give is not in his statement.

The actual quote is:"Asked if he or Lavabit has received a National Security Letter or any sort of classified court order, he response is: "I can neither confirm nor deny that." "

Bluntly, he did receive an NSL with a clause stating that he is not allowed to tell anyone. If he had not received an NSL, then he would have been able to say "I have not received an NSL". Legally he is in compliance with the court order even as he violates the spirit of the order by not lying.

Confirming would violate the order, denial would be lying to the interviewer. Since he cannot confirm and does not wish to lie, then he can only reply with variations on "No comment".

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.

If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

If things are encrypted such that you do not have access to the plaintext of the documents, the only thing you can do is hand over the cyphertext. If it were obstruction of justice to be unable to comply with a warrant, we'd be able to put people in prison for not handing over a unicorn.

The implication of his "speculations" is that the NSL required modification of source or procedure to allow harvesting of passwords and encryption keys. Since he could not comply without violating the Terms of Service, he shut the service down.

All this is speculation of course. The NSL that he cannot legally talk about contains the order he legally unable to describe...though he can "speculate" based on things he has known to be potential weaknesses

His lawyer carefully crafted the reply. The first part you give is not in his statement.

I didn't say it was. I was saying that *I* have not received one.

My point was that whoever came up with the gag order idea didn't think it through. Gag orders usually bar someone from discussing the content of something, not the something itself. Those work. These do not.

Going on record to say that I've never received an NSL. If I do get one, I'll be unable to confirm or deny that I have.

Someone clearly didn't think that through.

Your point brilliantly proves just how stupid people who make rules often are. Now they need a law that prohibits anyone from ever commenting about National Security Letters whether or not they have received one.

These are the issues we must push. Not 'they are reading all our emails' which is clearly clearly impossible and easy to refute as general alexander has been doing. What they are doing is building systems and databases so they could if they chose access any and all information on you at a later date. While also ensuring any secure systems have security holes and are basically scams if they continue to operate. Does it not seem outrageuosly unsecure to require every tech company in the US to ensure their systems are not secure? Alas NZ is about to legislate for this to be required...

A thought though... what happens if some linux distribution decides to implement full encryption by default, with keys generated on the machine at install in the home. They couldn't get the key off the the developers and any security holes would be open source due to licence obligations... and if everyone used linux :-p

It does not matter how strongly encrypted your documents are. The fourth amendment in the US constitution gives law enforcement a legal tool called warrants, so you will have to provide a key to decrypt your documents if a warrant is issued by a judge.

If you as a third party do not comply with the warrant then you are obviously committing obstruction of justice .

If things are encrypted such that you do not have access to the plaintext of the documents, the only thing you can do is hand over the cyphertext. If it were obstruction of justice to be unable to comply with a warrant, we'd be able to put people in prison for not handing over a unicorn.

The implication of his "speculations" is that the NSL required modification of source or procedure to allow harvesting of passwords and encryption keys. Since he could not comply without violating the Terms of Service, he shut the service down.

All this is speculation of course. The NSL that he cannot legally talk about contains the order he legally unable to describe...though he can "speculate" based on things he has known to be potential weaknesses

Right, but that's not what Jousle was saying. He was saying that it would be obstruction of justice not to turn over information you don't have. A warrant can't do that. An NSL may or may not require you to change your source code such that the government can access that information, and I think that should be illegal, especially with the self referential gag order that may or may not exist in reference to such an order. Nevertheless, the inability to comply with a warrant is not a crime.

anyone who trusts an encrypted email store but depends on unencrypted emails is just asking for trouble. It's that simple.

If the e-mail is ever in the clear on the remote end, you have no real confidentiality.

Any encrypted communication is only as safe as the security on either end, regardless of how good it is in the middle.

At this point... how much do you even trust VeriSign as a "trusted third party"? Forget the middle part too.

Verisign provides authentication, but it's not necessary for unbreakable p2p encryption. Stuff like OTR and PGP are theoretically unbreakable in transit, but that means nothing if either of the endpoints are compromised.

silly, silly americans. this is what belief in a few words on a raggedy old scrap of paper does for you. precisely nothing, you have spent decades spouting crap to the rest of the world about your "wonderful constitution" mean while your wonderful governments have been shafting the publics arse as much and as often as they like and now that some of you have noticed said shafting you seem surprised, why do you think rest of the world ignored your crap for so long? answer, because they knew it was crap. here in the uk, we have magna carter, its a load of crap, it gives certain protections to certain members of the elite, thats it, thats what it actuly says, which is why no ordinary member of the public attaches any importance to it, its just a few words on some scraps of paper. we learnt centuries ago that you try and control goverments actual behaviour to the public by watching what they do, not what they say they do in your name. your constitution should simply say, do as we say, not what we do.